The banks are finally buying the vaults. In May, BNY, the world’s largest custodian with $59.4 trillion in assets under custody and administration, announced it would offer Bitcoin and Ethereum custody in Abu Dhabi. Weeks later, Standard Chartered confirmed it will fully acquire Zodia Custody, the digital asset custodian it incubated in 2020, with the deal expected to close by the end of August.
Once a back-office concern for crypto-native firms, custody has now become a strategic priority for the world’s biggest banks.
However, the institutions best known for managing risk are buying into Bitcoin infrastructure just as the industry admits it has an unsolved cryptographic problem.
A new report from Taurus, the Swiss digital asset technology firm that counts Deutsche Bank among its backers, argues that every custodian on the market today remains exposed to a future quantum transition, and that one of the industry’s most popular custody architectures may face structural limits when blockchains eventually migrate to quantum-resistant signatures.
To see why, it helps to understand what a crypto custodian actually does. Owning Bitcoin means controlling a private key, a long secret number that authorizes movement of the coins. Whoever knows that number can spend the assets, and anyone who loses it permanently loses the assets.
A custodian’s entire job is to guard those keys and use them to produce digital signatures, the mathematical proofs that tell the network a transaction is genuine. Every spot Bitcoin ETF, every tokenized fund, and every corporate treasury position ultimately rests on how some custodian generates, stores, and uses these keys.
Two types of architecture dominate that business.
Multi-party computation, or MPC, splits a key into fragments held on separate machines, so the full number never exists in one place, and a thief would need to breach several systems at once.
Hardware security modules, or HSMs, take the opposite approach and lock the key inside a single piece of specialized, tamper-resistant hardware that destroys itself if anyone interferes.
The Taurus report contends that these two designs face very different futures once quantum computers enter the picture, and that the difference should concern any institution choosing its custody stack now.
The vault can be ready before the blockchain is
The signatures securing Bitcoin and Ethereum rely on elliptic curve cryptography, a branch of mathematics built on problems so hard that every computer on Earth working together couldn’t reverse them.
A sufficiently large quantum computer running Shor’s algorithm could solve those problems pretty quickly, meaning it could read a public key on the blockchain, derive the corresponding private key, and forge transactions.
But that machine is still hypothetical. Current quantum computers are research prototypes at roughly 100 qubits, far short of the hundreds of thousands needed, and Taurus’s own view is that a cryptographically relevant machine before 2040 is pretty unlikely based on current evidence. CryptoSlate has repeatedly noted how headlines exaggerate the near-term danger.
The case for acting now rests on timelines rather than panic. The US standards agency NIST published its first post-quantum cryptographic standards in August 2024, providing the world with vetted replacement algorithms.
NIST IR 8547 deprecates today’s signature schemes after 2030 and disallows them after 2035. Migrations of this scale take years, which is why Wall Street has already begun debating how Bitcoin should adapt.
The most valuable insight in the report concerns a constraint unique to blockchains. A bank can upgrade its own internal security this quarter, and many already serve quantum-safe web connections.
But Bitcoin sits outside any single institution’s control. When a custodian signs a transaction and broadcasts it, thousands of independent computers around the world check that signature against the network’s shared rules, and those rules currently recognize only the classical schemes.
A custodian that deployed post-quantum signing today would produce transactions that Bitcoin and Ethereum simply reject as invalid.
Changing the rules requires protocol upgrades, wallet updates, agreement among node operators, and the migration of millions of users, a process already underway in proposals like Bitcoin’s BIP-360 and Ethereum’s post-quantum research agenda.
This is why every provider, Taurus included, remains dependent on the chains themselves. The realistic objective, the report argues, is to make every layer a custodian controls quantum-ready, then migrate on-chain when the ecosystem gets there, which Taurus estimates could happen by 2029 or earlier.
The report also offers a counterintuitive observation it calls the quantum gravity principle: a computer capable of breaking Bitcoin would almost certainly be pointed at richer targets, such as state secrets and banking infrastructure, and the mere knowledge of its existence would crash crypto prices before any theft could pay off.
The nearer-term danger is the harvest-now-decrypt-later attack, in which adversaries record encrypted traffic today, store it cheaply, and decrypt everything once a capable machine arrives.
Why MPC has become the flashpoint for quantum security
The sharpest claim in the report concerns MPC, the architecture favored by many crypto-native custodians and fintechs. Taurus acknowledges that splitting keys across machines makes theft harder, since an attacker must compromise multiple systems rather than a single one.
The catch is that all those machines cooperate to produce an ordinary elliptic curve signature, the only kind the blockchain accepts, so the mathematics a quantum computer would attack stays identical, no matter how many parties share the work.
MPC systems also rely on their own cryptographic machinery to authenticate participants and secure the channels between them, and much of that machinery rests on the same vulnerable mathematical assumptions.
Then comes the structural argument. Top-tier HSMs from vendors like Thales already run post-quantum signature algorithms inside their hardware, subject to firmware versions, so supporting a new scheme mostly means installing it.
MPC faces a harder road, because each new signature family requires researchers to invent a fresh protocol for computing that signature across multiple machines without ever assembling the key. For lattice-based schemes such as ML-DSA, these protocols emerged only in 2025 and 2026 and remain unvalidated for production use.
For hash-based schemes such as SLH-DSA, the report claims a fundamental mathematical barrier: hash functions deliberately scramble any structure in their inputs, and it’s the structure that multi-party protocols exploit to divide the signing work.
That finding stings because hash-based signatures are what most networks are choosing. Circle’s post-quantum roadmap for Arc selects SLH-DSA-SHA2-128s for smart-account verification, Aptos has proposed the same scheme, and Ethereum researchers are weighing hash-based options too.
The claim deserves scrutiny rather than acceptance. Taurus builds custody technology with HSM roots and has a commercial interest in this comparison; the report discloses that it was prepared solely by Taurus, without independent verification.
SLH-DSA also carries practical baggage of its own, since its signatures run 7,856 bytes, compared to 64 for today’s standard, an awkward fit for high-volume transaction signing under any architecture.
MPC vendors could plausibly adapt to lattice-based schemes if those win out instead, and whether hash-based signatures actually become the dominant blockchain choice remains open. Cryptographers outside Taurus should weigh in on whether the incompatibility holds as broadly as claimed.
Still, the tension underneath this data certainly survives the caveats. Banks, ETF custodians, and exchanges are concentrating billions of dollars of client assets within custody architecture chosen years before anyone knows which post-quantum schemes blockchains will adopt.
A migration, when it comes, could mean rotating wallets, generating new addresses, obtaining client approvals, and absorbing operational pauses across the entire institutional stack, with auditors, insurers, and regulators watching every step.
The bigger question raised by the BNY and Standard Chartered goes beyond whether banks should hold Bitcoin keys. It asks whether the vaults they’re buying today can be rebuilt while the assets are still inside.